Skip to main content
Skip table of contents

Security: Managing TLS Certificates

The following describes how to renew a Time Layer Security (TLS) certificate. Renewing the TLS certificate may be required to meet your company's security rules. For example, to remove the security warning in the address bar of the browser.

Managing TLS certificates includes the following steps.

Create and Download a New Certificate Signing Request (CSR)

Your first step for renewing a TLS certificate is to create a new CSR.

  1. Log in to your Software Appliance and open the Security page.
  2. In the TLS CERTIFICATES section, click Create New CSR to open the corresponding form.
  3. Select the Key Algorithm.

    • EC prime256v1 (default)
    • RSA 4096
    • RSA 3072
    • RSA 2048
  4. Add Domains. You can enter any IPv4 or IPv6 address in the entry field. The field also supports any domain name as well as wildcard domains and punnycodes.
    The default IP address is displayed below the input field.
    Click Add next to the new entry to specify the new domain. Several new domains can be added here.
    Use the cross next to the entry on the right-hand side to remove an unwanted entry.



    If you leave the entry field blank, the default IP address displayed below will be used.

  5. Optionally specify the State/Province (ST) with Country (C), the Locality (L), and the Organization (O) that you want to add to the CSR.
  6. Click Create CSR to confirm your entries and create the CSR.
    The TLS Certificates are listed now in a table. A Status column for the certificates is displayed in the list. AWAITING ISSUANCE should be stated here.
  7. Click Download CSR in the in the Actions column, to download and save the new CSR


You can now proceed with creating a new certificate.

Create and Download the TLS Certificate

You can use your Certificate Authority (CA) in EJBCA to create a new certificate and download it.

The following describes the basic steps for making a certificate request and issue a certificate using the EJBCA RA user interface.

Note that the options available depend on your role, and when there is only one choice available and thus no selection to be made, the option is not displayed on the page. To view these predefined options, click Show details in the bottom-right of each section. For more information, refer to the EJBCA Documentation on Creating Certificates on the RA.

To create and download the TLS certificate in EJBCA, do the following:

  1. Click Overview in the Software Appliance.
  2. In the Application Overview, select Admin Web to go to EJBCA.
  3. In EJBCA, select the RA Web menu option, in the top row of menu items on the far right.
  4. In the EJBCA RA UI, click Make New Request.
  5. In the Select Request Template Certificate subtype field, select Server.
  6. Select the Key-pair generation option Provided by user to use the CSR to issue a new certificate using your trusted CA.
  7. Click Browse under Upload CSR and select the PEM file downloaded in step Create and Download a New CSR.
  8. Scroll down to Provide User Credentials and specify a Username.
  9. Click Download PEM full chain to issue the certificate and click Save to store the file.

You can create a new certificate using the Certificate Authority (CA) of your organization's choice. The following example describes the basic steps for making a certificate request and issue a certificate using the EJBCA CA. For more information, see EJBCA Documentation.

To create and download the TLS certificate in EJBCA, do the following:

  1. In EJBCA, select the RA Web menu option, in the top row of menu items on the far right.
  2. In the EJBCA RA UI, click Make New Request.
  3. In the Select Request Template Certificate subtype field, select Server.
  4. Select the Key-pair generation option Provided by user to use the CSR to issue a new certificate using your trusted CA.
  5. Click Browse under Upload CSR and select the PEM file downloaded in step Create and Download a New CSR.
  6. Scroll down to Provide User Credentials and specify a Username.
  7. Click Download PEM full chain to issue the certificate and click Save to store the file.

For more information, refer to the EJBCA Documentation on Creating Certificates on the RA.

Next, to activate the new certificate, see Upload and Activate the TLS Certificate.

Certificate Rules

The Software Appliance will check the new certificate against the following rules:

  • All domains in the certificate must match the ones in the generated CSR.
  • The public key of the certificate must match with the public key of the CSR.
  • The certificate chain of the certificate must be correct.
  • The certificate must have the digitalSignature flag set for KeyUsage.
  • The Extended Key Usage of the certificate must include server authentication.

Upload and Activate the TLS Certificate

The following describes how to activate the new certificate in the user interface of the Software Appliance:

  1. Log in to your Software Appliance and open the Security page.
  2. In the section TLS CERTIFICATES, click Upload Certificate for the certificate that is waiting for issuance:

    Certificate Bundle

    It is also possible to upload certificate bundles.

  3. Select and upload the newly created TLS certificate.
  4. The option Activate Certificate appears. Click Activate Certificate to activate the new certificate. The former certificate becomes inactive:

Individual TLS Certificates per Network Interface Card (NIC)

The support of an individual TLS certificate for each network interface card is possible.

Select which NIC should use which TLS certificate.

Only one TLS certificate can be active per NIC.

It is possible to use the same TLS certificate for multiple NICs.

  1. Log in to your Software Appliance and open the Security page.
  2. In the section TLS CERTIFICATES, click on Activate Certificate.
  3. A modal dialog for this TLS certificate will appear, showing all configured NIC.
    In this example the TLS certificate can be set for the Management Interface or Application Interface.
  4. Click on the Network Interface to be used.
    It is possible to select multiple network interfaces when activating a TLS certificate.




  5. Click Activate to proceed.
  6. The TLS certificate with the chosen Network Interface will now be shown in the list.

  7. Click Activate Certificate again to go back to the modal dialog if you want to change the settings.
    There can only be one TLS certificate for an interface. Any certificate that was previously used for this NIC will no longer be used if you activate another TLS certificate for this NIC.
  8. Click on any Interface in the Active Interfaces column to switch to the Network page in Webconf to see and/or configure the Network Interfaces.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.